Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-311 (敏感数据加密缺失) — Vulnerability Class 257

257 vulnerabilities classified as CWE-311 (敏感数据加密缺失). AI Chinese analysis included.

CWE-311 represents a critical data protection weakness where software fails to encrypt sensitive information before storage or transmission, leaving confidential data exposed in plaintext. Attackers typically exploit this vulnerability by intercepting network traffic through man-in-the-middle attacks or by gaining unauthorized physical or logical access to storage systems, allowing them to read credentials, financial records, or personal identifiable information without obstruction. To mitigate this risk, developers must implement robust cryptographic standards, such as AES-256 for data at rest and TLS 1.3 for data in transit, ensuring that all sensitive payloads are securely encoded. Furthermore, rigorous code reviews and automated static analysis tools should be employed to detect missing encryption calls, while strict key management practices guarantee that cryptographic keys themselves remain protected from compromise, thereby maintaining the confidentiality and integrity of the entire system.

MITRE CWE Description
The product does not encrypt sensitive or critical information before storage or transmission.
Common Consequences (2)
ConfidentialityRead Application Data
If the application does not use a secure channel, such as SSL, to exchange sensitive information, it is possible for an attacker with access to the network traffic to sniff packets from the connection and uncover the data. This attack is not technically difficult, but does require physical access to…
Confidentiality, IntegrityModify Application Data
Omitting the use of encryption in any program which transfers data over a network of any kind should be considered on par with delivering the data sent to each user on the local networks of both the sender and receiver. Worse, this omission allows for the injection of data into a stream of communica…
Mitigations (5)
RequirementsClearly specify which data or resources are valuable enough that they should be protected by encryption. Require that any transmission or storage of this data/resource should use well-vetted encryption algorithms.
Architecture and DesignEnsure that encryption is properly integrated into the system design, including but not necessarily limited to: Encryption that is needed to store or transmit private data of the users of the system Encryption that is needed to protect the system itself from unauthorized disclosure or tampering Identify the separate needs and contexts for encryption: One-way (i.e., only the user or recipient needs…
Architecture and DesignWhen there is a need to store or transmit sensitive data, use strong, up-to-date cryptographic algorithms to encrypt that data. Select a well-vetted algorithm that is currently considered to be strong by experts in the field, and use well-tested implementations. As with all cryptographic mechanisms, the source code should be available for analysis. For example, US government systems require FIPS 1…
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
Implementation, Architecture and DesignWhen using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.
Examples (2)
This code writes a user's login information to a cookie so the user does not have to login again later.
function persistLogin($username, $password){ $data = array("username" => $username, "password"=> $password); setcookie ("userdata", $data); }
Bad · PHP
The following code attempts to establish a connection, read in a password, then store it to a buffer.
server.sin_family = AF_INET; hp = gethostbyname(argv[1]); if (hp==NULL) error("Unknown host"); memcpy( (char *)&server.sin_addr,(char *)hp->h_addr,hp->h_length); if (argc < 3) port = 80; else port = (unsigned short)atoi(argv[3]); server.sin_port = htons(port); if (connect(sock, (struct sockaddr *)&server, sizeof server) < 0) error("Connecting"); ... while ((n=read(sock,buffer,BUFSIZE-1))!=-1) { write(dfd,password_buffer,n); ...
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2019-18254 Biotronik CardioMessenger II-S 安全漏洞 — BIOTRONIK CardioMessenger II-S T-Line, CardioMessenger II-S GSM 4.6 -2020-06-29
CVE-2020-12032 Baxter ExactaMix EM2400和EM1200 安全漏洞 — Baxter ExactaMix EM 2400 & EM 1200 9.1 -2020-06-29
CVE-2020-10273 RVD#2560: Unprotected intellectual property in Mobile Industrial Robots (MiR) controllers — MiR100 7.5 -2020-06-24
CVE-2020-12801 Crash-recovered MSOffice encrypted documents defaulted to not to using encryption on next save — LibreOffice 8.2 -2020-05-18
CVE-2020-10267 RVD#1489: Unprotected intelectual property in Universal Robots controller CB 3.1 across firmware versions — UR3, UR5 and UR10 6.5 -2020-04-06
CVE-2019-13922 Siemens SINEMA Remote Connect Server 安全漏洞 — SINEMA Remote Connect Server 4.9 -2019-09-13
CVE-2019-13419 floragunn Search Guard 信息泄露漏洞 — Search Guard 7.5 -2019-08-13
CVE-2019-13418 floragunn Search Guard 输入验证错误漏洞 — Search Guard 7.5 -2019-08-12
CVE-2019-5448 Yarn 加密问题漏洞 — yarn 8.1 -2019-07-30
CVE-2019-6526 多款Moxa产品加密问题漏洞 — IKS, EDS 9.8 -2019-04-12
CVE-2018-16879 Ansible Tower 信息泄露漏洞 — Tower 9.4 -2019-01-03
CVE-2018-18984 Medtronic 9790, 2090 CareLink, and 29901 Encore Programmers Missing Encryption of Sensitive Data — CareLink 9790 Programmer 4.6 Medium2018-12-14
CVE-2018-17915 Xiongmai XMeye P2P Cloud Server 安全漏洞 — XMeye P2P Cloud Server 9.8 -2018-10-10
CVE-2018-4855 Siemens SICLOCK TC100和SICLOCK TC400 安全漏洞 — SICLOCK TC100, SICLOCK TC400 5.7 -2018-07-03
CVE-2017-16040 gfe-sass 安全漏洞 — gfe-sass node module 8.1 -2018-06-04
CVE-2016-10695 npm-test-sqlite3-trunk 安全漏洞 — npm-test-sqlite3-trunk node module 8.1 -2018-06-04
CVE-2016-10696 windows-latestchromedriver 安全漏洞 — windows-latestchromedriver node module 8.1 -2018-06-04
CVE-2016-10697 react-native-baidu-voice-synthesizer 安全漏洞 — react-native-baidu-voice-synthesizer node module 8.1 -2018-06-04
CVE-2017-16041 ikst 安全漏洞 — ikst node module 5.9 -2018-06-04
CVE-2017-16035 hubl-server模块安全漏洞 — hubl-server node module 8.1 -2018-06-04
CVE-2016-10683 arcanist 安全漏洞 — arcanist node module 8.1 -2018-06-04
CVE-2016-10684 healthcenter 安全漏洞 — healthcenter node module 8.1 -2018-06-04
CVE-2016-10685 pk-app-wonderbox 安全漏洞 — pk-app-wonderbox node module 8.1 -2018-06-04
CVE-2016-10687 windows-selenium-chromedriver 安全漏洞 — windows-selenium-chromedriver node module 8.1 -2018-06-04
CVE-2016-10688 Haxe 3 安全漏洞 — haxe3 node module 8.1 -2018-06-04
CVE-2016-10693 pm2-kafka 安全漏洞 — pm2-kafka node module 8.1 -2018-06-04
CVE-2016-10686 fis-sass-all 安全漏洞 — fis-sass-all node module 8.1 -2018-06-04
CVE-2016-10694 alto-saxophone 安全漏洞 — alto-saxophone node module 8.1 -2018-06-04
CVE-2016-10689 windows-iedriver模块安全漏洞 — windows-iedriver node module 8.1 -2018-06-04
CVE-2016-10691 windows-seleniumjar 安全漏洞 — windows-seleniumjar node module 8.1 -2018-06-04

Vulnerabilities classified as CWE-311 (敏感数据加密缺失) represent 257 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.